Mar 22 2024 07:24 AM
Greetings everyone,
To begin this, let's imagine that a migration is being done for an organization and that Intune will be the chosen MDM solution.
Autopilot will be used and let's consider two different options:
There are some main things I already consider when choosing between one or the other, such as:
The main objective of this discussion is to understand what are the main advantages and disadvantages regarding each one of these scenarios, in order to have a clear understanding of what are the possible implications of choosing the exclusively Entra join scenario (like "What capabilities are lost when we choose the Entra join scenario?").
I have read the documentation and know that "Microsoft recommends deploying new devices as cloud-native using Microsoft Entra join. Deploying new devices as Microsoft Entra hybrid join devices isn't recommended, including through Autopilot.", but I would like to get even more information regarding this topic and maybe even some professional nuance from people who have gone through the same process. Basically the good, the bad and the ugly type of insights.
I would like to thank in advance any corrections about misconceptions or errors I might have written in this post and thank everyone who takes time to reply and be part of this discussion.
Cheers!
Mar 23 2024 02:23 AM
We faced the same challenge. We have multiple locations worldwide and migrated all computers to a domain via AutoPilot and Hybrid Join.
The reason we didn't opt for an Azure AD Join is that we have many on-premises applications requiring local authentication, such as file servers, web apps via SSO or User certificate authentication, or applications via SSO/LDAP SSO. Additionally, we have many GPOs that aren't fully translatable into Intune.
To do this, we have deployed domain controllers in Azure in different regions: America, Europe and Asia. We have set up a point-to-site VPN with certificate authentication for the allways on VPN. I always say that a hybrid join is still the best option when employees rely often need local resources that require seamless authentication, such as in warehouse or production environments. If many applications require local authentication, or we also have applications where the computer needs account permissions to local file servers etc. then a hybrid join is to be preferred.
But if you have small offices that mainly do their own thing, or use terminal server solutions like AVD or cloud applications, it's fine to just connect to Azure.
Mar 25 2024 03:47 AM